How to Provision a Pope in 6 Easy Steps

Having deprovisioned your previous Pope, you thought your work was done. But just as soon as you’ve settled back into you desk chair you see it – white smoke wafting up from the chimney. It’s time to provision a new Pope!

Step 1 – Meet the new Pope

First things first, go meet the new Pope. Invariably new Popes arrive with panoply of devices that they want connect to continue to be able to use, and this one is no different. You and your CISO take an inventory of all the gadgets the new Pope wants to use: iPhone, Android tablet, Xbox, Chromebook, etc. With list in hand, you’ll have to start working with your security and device management peers on a strategy to quickly get those devices working with your infrastructure. (If the new Pope doesn’t get his time playing WoW: Mist of Pandaria, he gets a bit grumpy.)

Step 2 – Don’t wait for HR

You can’t leave the Pope just to sit on his mitre and wait for access to business systems. The new Pope has got to be productive minute one of his Popehood. But unfortunately, the new Pope won’t be in the HR feed until the next payroll run, which isn’t for another 12 days. Mussolini might have made the trains run on time but not even he could do anything about HR. To be fair, a new Pope isn’t really a new hire but a strange combination of a transfer and a new persona; needless to say, HR is going to need to take their time. This means you cannot wait for the HRMS to signal the user provisioning system to kick into action. Time for the manual bypass! Hand register the new Pope in the user provisioning system, but be ready for some strangeness when the new Pope does finally show up in the HR feed – misspellings, wrong job codes, and missing data will lead to odd provisioning events.

Step 3 – Monitor the birthrights

Once the new Pope is in the user provisioning system, birthright application provisioning ought to kick off. It did kick off, correct? Good. Ideally you’d have a way to signal that the new Pope is a VIP and that those provisioning requests should be put at the top of the queue for processing. Just like password resets, VIP provisioning should get priority through the workflow engine. If you don’t have provisioning connectors for all the birthright applications, you’ll have to phone up the user admin team and make sure that they build the new Pope’s accounts immediately.

Step 4 – Assign the “special” role

You did create a few broad enterprise roles when you deployed the user provisioning system? Good. Time to dust of the rarely assigned “special” role. This is the role that will give the new Pope access to special Pope-only resources – such as access to the complete donor registry and Cardinals communication portal. Once you’ve assigned this, don’t forget to call the CIO and CISO and make sure that they approve the role assignment immediately – hopefully via their mobile device. (If that doesn’t work, try sending another white smoke signal.)

Step 5 – Get the solid gold token

While the provisioning system is chugging along, you’ll need to get the new Pope his stronger authentication credentials. This is going to be tough. Papal-experience is key to the new Pope and a cumbersome authentication process isn’t going please the Pontiff. Try an NFC-based hardware token embedded into his staff. You might be able to fit a hardware OTP generator into his ring. Or perhaps an out-of-band OTP to those mobile devices of his. Whatever you choose, be ready with plan B and C. Remember lost devices and difficult user-interfaces are going to be your problem.

Step 6 – Authorize the Authority

Remember how you pulled the old Pope out of approval workflows when you deprovisioned him? Well, now you have to put the new Pope back into those workflows. For highly sensitive systems and segregation of duties violations, people are likely going to need the new Pope’s approval. This probably won’t happen day 1, but it will take you a while to weave the new Pope into the workflow system.

See? That wasn’t so hard. Six easy steps and your new Pope is ready to go. Maybe he’ll be so impressed that he’ll take you for a spin in the Popemobile.

Published by

Ian Glazer

Ian Glazer is a senior analyst for Burton Group’s Identity and Privacy Strategies service. He covers identity audit, user provisioning, controls management, and privacy. Prior to joining Burton Group, Ian was senior director, of program management at Approva Corporation, director of identity strategy at Trusted Network Technologies, and senior product manager at IBM where he was a top-ranked product manager on the IBM Tivoli Identity Manager team, heading provisioning offerings for small and medium businesses. Ian is a strong advocate for industry standards and efficacy. He was a contributor to OASIS Provisioning Services Technical Committee and is a co-inventor of the patent pending Web Services Federated Provisioning. Ian is a frequent speaker and panelist at identity leadership events and is an active blogger identity management and security issues.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.